Pull requests with signed tags [LWN.net]

By Jonathan Corbet
December 21, 2011

One of the ongoing echoes from the compromise of kernel.org is an increased interest in verifying the integrity of pull requests sent to Linus. One way of doing that is for the developer to add a cryptographic signature to the email containing the pull request. If the top commit ID is included in the message, the pull request (and the code it covers) can be authenticated, but the digital signature itself is not stored in the mainline repository, making it hard to re-verify requests at some future time.

An alternative is to use git to create a signed tag, which stores the signature in the repository itself. In the future, that may become the accepted way to get code into the mainline. Linus has described some pending changes to git that make the capture and storage of that information simple. So simple, in fact, that there is no longer any need to worry about branches or unique tag names:

Everybody: you can now create a signed tag, and just point me at it. You don't even have to have a separate branch for me to pull any more, just the signed tag is fine.

So it would actually be nicer if you used temporary tag names the way you use temporary branch names when you ask me to pull. The tag *content* will be saved from now on (unless I screw up while traveling or something and pull with a machine that has an older git version), so there's very little advantage in then saving the tags separately by having ugly tag-names with long lifetimes.

All of this evidently works now, with existing stable git releases; only the process of merging such a tag requires the newer code. So, soon, signed tags may be the standard way to identify changes to be pulled.

(Log in to post comments)

Pull requests with signed tags

Posted Dec 23, 2011 5:17 UTC (Fri) by flewellyn (subscriber, #5047) [Link]

Probably no accident. As I recall, Monotone was the existing FOSS distributed version control system that was closest to what Linus was looking for, post-BK. Only reason they didn't go with it was performance. Featurewise, it was what they wanted.

So, if they implement Monotoneish features in Git, it only makes sense.

Pull requests with signed tags

Posted Dec 25, 2011 19:05 UTC (Sun) by jnareb (subscriber, #46500) [Link]

Probably no accident. As I recall, Monotone was the existing FOSS distributed version control system that was closest to what Linus was looking for, post-BK. Only reason they didn't go with it was performance. Featurewise, it was what they wanted.
So, if they implement Monotoneish features in Git, it only makes sense.

From what I remember the performace thing was a temporary setback (a regression), which unfortunately hit at the time Linus was examining existing OSS DVCS for Linux kernel after BitKeeper fiasco...

...but from what I remember (check GitHistory page on Git Wiki - it is up, but not yet 100% working correctly) that Linus didn't like Monotone signing of all commits; that is why in Git only tags, and now merges / merge sides are signed.

P.S. When IPsec was asking on git mailing list if it would be possible to sign every commit, they were pointed to Monotone instead ;-)